[146781] in cryptography@c2.net mail archive
[Cryptography] Does NSA break in to endpoints (was Re: Bruce
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Sat Sep 7 20:00:32 2013
X-Original-To: cryptography@metzdowd.com
Date: Sat, 7 Sep 2013 20:00:25 -0400
From: "Perry E. Metzger" <perry@piermont.com>
To: Brian Gladman <brg@gladman.plus.com>
In-Reply-To: <522AE4D8.30505@gladman.plus.com>
Cc: Cryptography Mailing List <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Sat, 07 Sep 2013 09:33:28 +0100
Brian Gladman <brg@gladman.plus.com> wrote:
> On 07/09/2013 01:48, Chris Palmer wrote:
> >> Q: "Could the NSA be intercepting downloads of open-source
> >> encryption software and silently replacing these with their own
> >> versions?"
> >
> > Why would they perform the attack only for encryption software? They
> > could compromise people's laptops by spiking any popular app.
>
> Because NSA and GCHQ are much more interested in attacking
> communictions in transit rather than attacking endpoints.
Except, one implication of recent revelations is that stealing keys
from endpoints has been a major activity of NSA in the last decade.
I'm not going to claim that altering patches and software during
download has been a major attack vector they've used for that -- I have
no evidence for the contention whatsoever and besides, endpoints seem
to be fairly vulnerable without such games -- but clearly attacking
selected endpoints is now an NSA passtime.
Perry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
